[Bug 574087] Replace "Known Vulnerabilities" page
| Bugzilla Link | 574087 |
| Status | NEW |
| Importance | P3 normal |
| Reported | Jun 08, 2021 22:08 EDT |
| Modified | Jun 09, 2021 15:23 EDT |
Description
The current Known Vulnerabilities [1] is generated from Bugzilla. Bugzilla is no longer the source of truth.
This page should be populated with the information that we disclose via Mitre (that is, with the CVEs that we create).
I keep a list of the CVEs that we assign in a Google Spreadsheet. Note that access to the spreadsheet is restricted (any EF staff member can view) because it often includes information that has not yet been disclosed and vulnerabilities are sometimes sensitive.
Ideally, we can generate a public webpage from the information provided in the spreadsheet.
The spreadsheet has several columns. The following are germane:
ID - the CVE ID that we, as a CNA, assign to the vulnerability
Date - the date that the assignment is initiated
Project - the id (e.g., "technology.dash") of the affected project
CVE Pull Request - URL of the pull request for promotion.
Every row that has a value in the "CVE Pull Request" column has been disclosed and should be displayed on a "known vulnerabilities" page.
I envision a table of some form with similar columns:
ID - the CVE ID with a link to the CVE on cve.mitre.org
Project - the name of the project with a link to the PMI page
Description - Description of the issue.
The Description is a paragraph (or so) of text that describes the issue. I don't currently capture this in the spreadsheet. The description is available in the "cvelist" Git repository [3]. At least theoretically, the description can change so I'd rather not try to maintain it in two places, but will if that's just easier.
[1] https://www.eclipse.org/security/known.php\ [2] https://docs.google.com/spreadsheets/d/1LnzXLirzF0wrnuKam0UUMQzK85PcQ8gpwxUrHCUPrSw/edit?usp=sharing\ [3] git@github.com:CVEProject/cvelist.git